Network Setup - 2 on-prem locations 1 AWS region
Hi, I would like to know what would be the best possible option in terms of complexity and cost for the scenario below that we are trying to implement for a client. Customer A has all web apps deployed on-prem and has clients that come through a co-located VPN based network(say ClientNet network) to access those apps. Now all these apps will be deployed in AWS regions(Prod and Non-prod vpc-s) so in essence Customer A will now be on AWS and all these clients will need to access these apps on AWS via this ClientNet network. At the same time, there will be some to and from communication between AWS VPC-s and Customer A's network for stuff that will still be hosted on-prem like Active Directory and other COTS. Can this be achieved without creating 2 separate Direct Connects or 2 separate VPN-s? By 2 separate DC-s I mean - one DC between ClientNet and AWS and one DC between Cutomer A one-prem and AWS and the same applies for VPN if we were to replace DC with VPN. Can TGW be used to consolidate this one just one connection whether its DC or VPN that can assessed later based on requirements for security and bandwidth?
It is probably best if you discuss this with your account's Solutions Architect but here are some general guidelines:
- If you are worried about time to market and need to setup connectivity quickly then VPN would be easy and quick way to setup connectivity to AWS
- Note that IPSEC VPN over the internet is a best effort solution - meaning there is no SLA and it is prone to issues
- If you want predictable latency and reliable path to AWS with SLA, Monitoring etc then DirectConnect (DX) is the answer
- You could also have DX as Primary and VPN is Secondary/Failover path for high availability
- With AWS managed VPN there is a bandwidth limitation of 1.25 Gbps, if you terminate it on a VirtualPrivateGateway (VGW) if you do decide to use TransitGateway you can use ECMP and bundle Multiple VPN Tunnels to get more aggregate bandwidth
- If you are looking for a scalable solution then TransitGateway is the answer, you can setup Hub and Spoke connectivity to multiple VPCs - TGW is a regional construct but you can do Inter as well as Intra-region TGW Peering and consolidate all connectivity within AWS regions.
- You mentioned 1 Region in the subject but in future if you do expand to multi-region architecture you can then think of DX + DXGW +TGW architecture, DirectConnect Gateway is a global construct and can give you connectivity to upto 3 TGWs in 3 different regions.
Answer to your main question:
Can TGW be used to consolidate this one just one connection whether its DirectConnect or VPN that can assessed later based on requirements for security and bandwidth?
- Yes, you can use TransitGateway to consolidate all the connectivity from your on-premises to AWS:
- It supports Site-to-site VPN (Over the internet or Over DX Public VIF)
- Connectivity via DX using Transit VIF
- Provides inter or intra region connectivity
- SD-WAN connectivity options using Connect attachment
Lastly, I recommend going through the AWS Hybrid Connectivity Whitepaper which has several reference Connectivity models described:
Hope this helps.
What is the most cost efficient and fastest way to start GLUE ETL developmentAccepted Answerasked a month ago
Network Setup - 2 on-prem locations 1 AWS regionasked 22 days ago
What is the best way to work with databases in local environments?Accepted Answerasked 7 months ago
What AWS services could be used for hosting a global low-latency udp-based service?asked 6 months ago
What are some of the most important AWS terminologies and jargon that we must know:asked 6 months ago
Designing for failures in the control planeasked 6 months ago
How to setup interface VPC endpoints in a multi tier architecture?Accepted Answerasked 2 years ago
How would I be able to disable command line or programmatic access?asked 5 months ago
SES Best pratice to send a lot of emailsasked 7 months ago
Which Database service would be best for this use case?asked 2 months ago